Presentation by Michalis Mantzaris, PhD Introduction to General Data Protection Regulation (GDPR)
Presentation Structure What is the GDPR? When and where does it apply? Consisting elements and Guideline provision Key changes and additions compared to the previous EU Data Protection Directive Key definitions in GDPR Definitions Principles GDPR application in scientific research Roles, Prospective and Retrospective data, Safeguards A practical “all in one” example of implementation in a research programme. 2
What is the GDPR? The General Data Protection Regulation (GDPR) is the new EU’s regulation designed to protect and empower every subject’s data privacy located in the EU regardless of where the processing is happening. GDPR applies to every organisation located in the EU that processes personal data regardless of nationality and covers several activities and aspects including data collection, processing, transfer, storage, security and the data subject rights. GDPR will be enforced on May 25 th 2018 and non- compliance can be fined up to 4% of annual global turnover or € 20 Million. Fines will be served by the respective DPAs 3
GDPR applies to EU and European Economic Area (EEA) members Austria Latvia GDPR affected countries Belgium Liechtenstein (EEA) Bulgaria Lithuania Croatia Luxembourg Cyprus Malta Czech Republic Netherlands Denmark Norway (EEA) Estonia Poland Finland Portugal France Romania Germany Slovakia Greece Slovenia Hungary Spain Iceland (EEA) Sweden Ireland United Kingdom Italy (BREXIT, EEA) • Every personal data entering or exiting EEA is protected by GDPR 4
GDPR consisting elements and guidelines GDPR comprises 11 chapters which include 99 Articles with one or more sub-articles for the protection of personal data The 99 Articles were adopted considering 173 Recitals Although Articles and Recitals are complementary to each other, the Court of Justice of the European Union uses 173 99 Recitals to establish any Regulation’s or Directive’s meaning. Articles Recitals Guidelines for the consistent implementation of the GDPR is provided by Article 29 Working Party (WP29) comprising members of each Member State DPA. The WP29 will be renamed to European Data Protection Board (EDPB) with enhanced roles on providing guidelines and decisions. 5
WHAT IS NEW IN THE GDPR? Key changes to the existing EU Data Protection Directive The Transparency and accountability are now main principles of data protection and both controllers and processors are liable under GDPR Special provisions for scientific research Enhanced data subject rights, such as the right to be forgotten and the right to data portability No need for DPA authorization but mandatory Data Protection Impact Assessments (DPIAs) Mandatory appointment of a Data Protection Officer (DPO) Mandatory procedures for managing data breaches European Codes of Conduct Certification mechanisms specifically for data protection Sanctions and fines. 6
Key definitions in GDPR Personal data : any information relating to an identifiable natural person e.g. name, ID, location, online identifier, physical, health (Recital 35), genetic (Recital 34), biometric, mental, economic, cultural or social data. Genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, DNA or RNA analysis , or from the analysis of another element enabling equivalent information to be obtained. Health data: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history , clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test. 7
Key definitions in GDPR Processing: any operation performed on personal data whether or not by automated means e.g. collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction, erasure or destruction. Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a person without the use of additional information kept separately and secured by means of technical and organisational measures. Pseudonymized data are still personal data subjected to GDPR. Anonymous data: information which does not relate to an identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. GDPR does not concern the processing of such anonymous information , including for statistical or research purposes (Recital 26). 8
Key definitions in GDPR Controller: the person, authority, or other body which, alone or jointly, determines the purposes and means ( the why and how ) of the processing of personal data. Processor: a person, authority, or other body which processes personal data on behalf of the controller. Data Protection Officer (DPO): a staff member or a professional on the basis of a service contract who has expert knowledge of data protection law and practices Is able to monitor compliance with GDPR and provide advice Communicates with the supervising authority (DPA) Is accessible to data subjects with regard to the exercise of their rights. 9
Principles of the GDPR Lawful, fair and transparent processing (legal basis e.g. on consent, otherwise purpose compatibility or scientific purpose exemption under appropriate safeguards such as encryption or pheudonymization) Purpose limitation (data not further processed in a manner that is incompatible with the initial purposes) Data minimisation (limited to what is necessary in relation to initial purposes) Accuracy (data updated and rectified where necessary) Storage limitation (data kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the study (exceptions : scientific research purposes with the appropriate safeguards including technical and organisational measures required) Integrity and confidentiality (protection against unlawful processing, accidental loss, destruction or damage) Accountability (controller and processor shall be able to demonstrate compliance with previous points) 10
GDPR application in scientific research Data protection by design Controllers: partners who collect patient data and biological samples. Each controller has full control of the collected data which he has to pseudonymise holding the key in separate location. The controller decides “why and how” to process his data. The “how” does not necessarily mean that he would process the data himself, as he can outsource the task to a processor due to his expertise. Processors: partners who process patient data on behalf of the controllers and under their specific instructions under a contract A processor is also liable for the processing of the data A processor can sub-contract part of the processing to a subprocessor by obtaining controller’s consent and maintaining liability. Overall control of the data and processing remains to the original controller. 11
GDPR application in scientific research Data protection by design Contracts: Contracts must contain information described in Articles 28,45,47. Contract templates for EU data transfer and Standard Contractual Clauses for non-EU transfers are available. Data transfers: Each controller must implement appropriate pheudonymisation or encryption measures for data protection by design (Article 25) and before data is transferred for further processing purposes. Processing records: Each controller or processor is responsible to maintain a record of processing activities in electronic form with specific information described in Article 30 and provided to supervisor authority or data subject upon request. Full record templates are available. 12
GDPR application in scientific research Data protection by design Data repositories: Data should be stored and kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the study (storage limitation). However, data may be stored for longer periods for scientific research purposes with the appropriate safeguards (Article 89, Recital 156). Recital 156 refers to clinical trials as a scientific purpose where processing must comply also with the relevant legislation such as the ICH GCP guidelines and the EU’s Clinical Trial Regulation witch specify certain archive periods for clinical trials. This means clinical trials can retain their data even if the data subject requests erasure ( However, the status of observational studies should be addressed ). In addition, appropriate technical and organisational measures for protection against unlawful processing, accidental loss, destruction or damage shall be taken ( data security ) as described in Article 32. 13
Recommend
More recommend